Russian group Clop attacks US government agencies

Yesterday, US Cybersecurity officials said a "small amount" of government agencies have been affected by data breaches as part of an extensive hacking campaign. The culprit is likely Russia-based Clop ransomware group. This group of cybercriminals took advantage of a vulnerability in the MOVEit file transfer service to obtain valuable data from its victims, including Shell, British Airways and the BBC. However, targeting US government agencies could only heighten global law enforcement vigilance over these cybercriminals, already in the spotlight for their recent spate of hacking attacks.

Response of the security bodies to the cyber threat

Progress Software, owner of MOVEit, patched the vulnerability in late May. The United States Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the FBI, released a warning on June 7 about the exploitation of Clop and the urgent need for all organizations, public and private, to correct the defect. A senior CISA official informed reporters yesterday that all of the US government's MOVEit instances have now been updated.

Victims of the CISA hack and action campaign

CISA officials declined to disclose which US agencies are victims of the campaign, but confirmed that the Department of Energy has notified CISA that it is among them. CNN further reported that the wave of attacks affected the driver's license and ID data of millions of Louisiana and Oregon residents. In the past, Clop has claimed attacks against the Minnesota and Illinois state governments.

Analysis of the attack and implications for US-Russia relations

"We are currently providing support to several federal agencies that have had their MOVEit applications hacked," CISA director Jen Easterly told reporters on Thursday. “Based on discussions we have had with industry partners in the Joint Cyber Defense Collaborative, these intrusions are not being used to gain broader access, to gain persistence on target systems, or to steal specific high-value information - in In summary, as we understand it, this attack is largely opportunistic.”

Despite Clop's history as a standard ransomware actor, known for finding and exploring vulnerabilities in software and equipment widely used to steal information from various businesses and institutions and then launch data extortion campaigns against them, CISA has seen no threats from Clop to release stolen data from US government. Also, a senior CISA official, who spoke to reporters on condition of anonymity, said there was currently no evidence that Clop was coordinating with the Russian government. Clop, for his part, said he focuses on businesses and erases any data from governments or law enforcement agencies.

Despite the absence of direct coordination between the Kremlin and Clop, research has consistently highlighted links between the Russian government and ransomware groups. Under these provisions, these unions can operate from Russia with impunity, provided they do not target victims in the country and respect the influence of the Kremlin. Does Clop really erase the data it collects from government victims? Allan Liska, an analyst for the security firm Recorded Future which specializes in ransomware, says it is "highly probable" that any information Clop collects from the US government or other targets of interest will be shared with the Kremlin.